b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n INFORMATION RESOURCES MANAGEMENT\n            STRATEGIC PLAN\n\n\n\n    September 2007    A-14-07-27133\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 28, 2007                                                          Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Information Resources Management Strategic\n           Plan (A-14-07-27133)\n\n\n           OBJECTIVE\n\n           The objective of our review was to evaluate the Social Security Administration\xe2\x80\x99s (SSA)\n           Information Resources Management (IRM) Strategic Plan (IRM Plan) in comparison to\n           best practices and Federal requirements.\n\n           BACKGROUND\n\n           Purpose of an IRM Plan\n\n           Agencies must develop and maintain an IRM Plan as required by the Paperwork\n                                          1\n           Reduction Act of 1995 (PRA). According to the Office of Management and Budget\n           (OMB), IRM Plans should support an agency\xe2\x80\x99s Strategic Plan and provide a description\n           of how IRM activities help accomplish its missions, and ensure that IRM decisions are\n           integrated with organizational planning, budget, procurement, financial management,\n           human resources management, and program decisions. 2\n\n           OMB does not have guidance on the specific contents of an IRM Plan. However, an\n           IRM Plan should be strategic in nature and address the requirements of Federal IRM as\n           expressed in the PRA and OMB Circular A-130. 3\n\n\n\n\n           1\n               44 U.S.C. \xc2\xa7 3506(b)(2).\n           2\n               OMB Circular A-130, Management of Federal Information Resources, 8.b.(1)(a).\n           3\n               Id.\n\x0cPage 2 - The Commissioner\n\n\nThe Role of Enterprise Architecture\n\nAgencies are also required to create an Enterprise Architecture (EA) Framework to\n                               4\nguide strategic IRM planning. An agency\xe2\x80\x99s capital planning and investment control\n(CPIC) process 5 must build from the agency\xe2\x80\x99s EA. An EA is the explicit description and\ndocumentation of the current and desired relationships among business and\nmanagement processes and Information Technology (IT). The EA should describe the\n"current\xe2\x80\x9d and \xe2\x80\x9ctarget\xe2\x80\x9d architectures. In addition, the EA must provide a strategy that\nsupports the current state of operations and also act as the roadmap for transition to its\ntarget environment through effective IRM activities. 6 OMB annually evaluates agencies\xe2\x80\x99\nEA practices and recently lowered the grades of four agencies\xe2\x80\x99 scores on the\nPresident\xe2\x80\x99s Management Agenda E-gov Scorecard in early 2007 because their EA\npractices did not meet OMB\xe2\x80\x99s expectations.\n\nSSA IRM Strategic Planning\n\nThe most recent series of the IRM Plan replaced the Information Technology\nArchitecture Plan (ITAP) that was last published in October 2001. The IRM Plan\ncontains many ITAP features and its content reflects planning decisions made by the\nInformation Technology Advisory Board (ITAB). 7 SSA\xe2\x80\x99s 2007 IRM Plan covers Fiscal\nYears (FY) 2006-2012. At SSA, the Office of the Chief Information Officer (OCIO) is\nresponsible for developing SSA\xe2\x80\x99s IRM Plan.\n\nThe purpose of SSA\xe2\x80\x99s IRM Plan is to:\n\n          \xe2\x80\xa2   describe how IRM activities help accomplish SSA\xe2\x80\x99s mission, goals and\n              objectives;\n          \xe2\x80\xa2   ensure IRM decisions are integrated with organizational planning, budget,\n              procurement, financial management, human resources management, and\n              program decisions;\n          \xe2\x80\xa2   present an overview of SSA\xe2\x80\x99s EA; and\n          \xe2\x80\xa2   serve as a key component of SSA\xe2\x80\x99s IT CPIC process.\n\n\n\n\n4\n    OMB Circular A-130, Management of Federal Information Resources, 8.b.(2)(b).\n5\n  OMB Circular A-130, Management of Federal Information Resources, 6.c., defines CPIC process as \xe2\x80\x9ca\nmanagement process for ongoing identification, selection, control, and evaluation of investments in\ninformation resources. The process links budget formulation and execution, and is focused on agency\nmission and achieving specific program outcomes.\xe2\x80\x9d\n6\n    OMB Circular A-130, Management of Federal Information Resources, 8.b.(2)(a).\n7\n    ITAB is responsible for the development of SSA\xe2\x80\x99s IT Systems Plan.\n\x0cPage 3 - The Commissioner\n\n\nRESULTS OF REVIEW\nWe compared SSA\xe2\x80\x99s IRM Plan with other Federal agencies\xe2\x80\x99 to identify the best\npractices with regards to the IRM Plan document, given that OMB does not have\nguidance on the exact contents of an IRM Plan. We found that each of the agencies\xe2\x80\x99\nIRM Plans we reviewed had strengths and weaknesses in different areas. We\nidentified and provided examples (Appendices C, D, and E) of some practices used by\nother agencies that SSA can consider as a part of its IRM process. These practices,\nalthough belonging to agencies whose sizes are different from SSA, provide examples\nof clear presentation, relevant IRM contents, or enhanced structure.\n\nSSA\xe2\x80\x99s 2007 IRM Plan provides a description of the Agency\xe2\x80\x99s IRM strategic objectives,\nits current major IT investments, the IT CPIC process, and project management\npractices. Among the numerous Federal agency IRM Plans we reviewed, SSA\xe2\x80\x99s plan\nhas the broadest coverage. It included areas that some other agencies did not cover\nsuch as security, privacy, information dissemination, records management and IT\nhuman resources management. It also discussed SSA\xe2\x80\x99s efforts in developing its own\nversions of Federal Enterprise Architecture (FEA) reference models 8 to demonstrate\nhow SSA supports the goals of FEA.\n\nHowever, SSA\xe2\x80\x99s IRM Plan needs to be more strategic and provide a better description\nof how the Agency\xe2\x80\x99s information resources management activities will help accomplish\nthe Agency\xe2\x80\x99s mission, goals and objectives. The IRM Plan would also be more useful if\nit informed the reader of the Agency\xe2\x80\x99s present position and what it sees as its future IT\narchitecture. This can best be accomplished through a description of SSA\xe2\x80\x99s existing\nand target EA. Finally, the IRM Plan should be structured in a way to better support the\nAgency\xe2\x80\x99s Strategic Plan while providing possible solutions to its future challenges and\nconstraints.\n\nSSA is already in the process of taking steps to resolve these issues.\n\n\n\n\n8\n  According to FEA Consolidated Reference Model Document, Version 2.1, FEA reference models are a\nset of interrelated \xe2\x80\x9creference models\xe2\x80\x9d designed to facilitate cross-agency analysis and the identification of\nduplicative investments, gaps and opportunities for collaboration within and across agencies. Collectively,\nthe reference models comprise a framework for describing important elements of the FEA in a common\nand consistent way.\n\x0cPage 4 - The Commissioner\n\n\nSSA\xe2\x80\x99s IRM PLAN SHOULD BE MORE STRATEGIC\n\nSSA\xe2\x80\x99s FY 2007 IRM Plan needs to be more strategic and support the Agency\xe2\x80\x99s\nStrategic Plan. The Agency\xe2\x80\x99s IRM Plan is not strategic in the following areas:\n\n\xe2\x80\xa2     IRM activities and the underlying EA only span 2 years into the future, even though\n      the IRM Plan states that it covers FYs 2006 through 2012. According to OMB, an\n      IRM Plan should support the Strategic Plan, which must cover a minimum of\n      5 years. 9 However, SSA\xe2\x80\x99s IT planning process, where IT resources are allocated to\n      projects, and the Agency\xe2\x80\x99s performance goals 10 cover only 2 years. Some of the IT\n      projects approved by ITAB have life spans that are expected to go beyond 2 years;\n      however, SSA\xe2\x80\x99s IT Systems Plan 11 does not have IT projects that will start 2 years in\n      the future. We found examples of other Federal agencies, which show longer range\n                                                                                  12\n      IRM planning activities, such as the Farm Credit Administration\xe2\x80\x99s IRM Plan, as\n      shown in Appendix C and the Bureau of Land Management\xe2\x80\x99s IRM Plan 13 as shown\n      in Appendix D. These IRM Plans include long-term planning for their system\n      development projects. Although these are smaller agencies, we believe a similar\n      practice could be adopted by SSA.\n\xe2\x80\xa2     Some challenges are not fully addressed. SSA\xe2\x80\x99s IRM Plan does not have a\n      sufficient description about how the Agency plans to address its biggest challenge:\n      an increased workload due to disabled and retiring baby boomers. One SSA goal is\n      to maintain an average annual productivity improvement rate of 2 percent.\n      However, the IRM Plan does not address if the 2 percent increase in productivity,\n      due in part to systems enhancements, will be sufficient to allow SSA to effectively\n      serve the baby boomers in the future, without an increase in staff. SSA needs to\n      establish long-range strategies to fully address these and other critical challenges.\n\n\n\n\n9\n  Government Performance and Results Act of 1993, Public Law Number 103-62, \xc2\xa7 306 b. and c. states\nthe strategic plan shall cover not less than 5 years forward from the FY in which the plan is submitted.\n10\n  OMB Circular A-11, Preparation, Submission, and Execution of the Budget, Section 200, Overview of\nStrategic Plans, Performance Budgets, and Performance and Accountability Reports, defines\nperformance goals as performance measures with targets and timeframes. These performance\nmeasures are reported in SSA\xe2\x80\x99s Performance and Accountability Report and Annual Performance Plan as\n\xe2\x80\x9cPerformance Indicators.\xe2\x80\x9d\n11\n  SSA\xe2\x80\x99s IT Systems Plan is a product of SSA\xe2\x80\x99s ITAB process and contains the listing of all IT projects\nreviewed and approved by ITAB.\n12\n     Farm Credit Administration, Information Resources Management, IRM Plan, Fiscal Years 2007-2012.\n13\n United States Department of the Interior, Bureau of Land Management, Information Resources\nManagement Strategic Plan 2002-2005, May, 2002.\n\x0cPage 5 - The Commissioner\n\n\nBecause SSA\xe2\x80\x99s IRM strategic planning does not go beyond 2 years, its IRM Plan does\nnot provide a clear strategic vision of what the Agency needs or plans to do over the\nnext few years to address its critical challenges. For SSA\xe2\x80\x99s IRM Plan to serve its\nstrategic purpose, SSA needs to establish a long-range IRM strategic planning process\nthat covers a period consistent with the Agency\xe2\x80\x99s Strategic Plan.\n\nPRESENTATION OF ENTERPRISE ARCHITECTURE COULD BE IMPROVED\n\nEA is the blueprint that guides the Agency\xe2\x80\x99s IRM strategic planning and is instrumental\nto the Agency\xe2\x80\x99s CPIC process. An EA is considered the blueprint because it provides\nboth the "current architecture" and "target architecture." Thus, these two descriptions\nenable an agency to support its current state and also act as the roadmap for transition\nto its target environment through IRM activities. As a result, EA can establish a clear\n                                                                           14\nline of sight from investments to measurable performance improvements.\n\nThe current EA section of SSA\xe2\x80\x99s IRM Plan focuses on SSA\xe2\x80\x99s EA process description\nand its effort of developing FEA reference models. It does not provide a description of\nSSA\xe2\x80\x99s existing and target EA as the roadmap for reaching the Agency\xe2\x80\x99s mission and\ngoals. In 2002, SSA developed a document with the Agency\xe2\x80\x99s existing and target\narchitecture. 15 SSA\xe2\x80\x99s April 2003 IRM Plan included the Agency\xe2\x80\x99s then existing and\ntarget architecture; however, they have not been included in the Agency\xe2\x80\x99s IRM Plan\nsince that time.\n\nWithout a proper description of SSA\xe2\x80\x99s current and future EA in its IRM Plan, readers\nare not informed of the Agency\xe2\x80\x99s present and target IT environment. Thus the reader is\nleft without the knowledge of what SSA plans or needs to achieve over the next few\nyears to meet the strategic mission and goals that should be integrated in a target EA.\nSSA is required to architect first and then use the architecture to guide its IT investment\n          16\nplanning. SSA\xe2\x80\x99s EA should describe its existing and target EA and provide a strategy\nthat acts as the roadmap for transition to its target environments.\n\n\n\n\n14\n     OMB FEA Practice Guidance.\n15\n  SSA Enterprise Information Technology Architecture, SSA Application Architecture, Version 1.0,\nDecember 16, 2002.\n16\n     OMB FEA Practice Guidance.\n\x0cPage 6 - The Commissioner\n\n\nThe Office of Systems will include the following information in the next IRM Plan:\n\n\xe2\x80\xa2     the existing and target EA diagrams;\n\xe2\x80\xa2     a verbal description of the fundamental differences between the current and future\n      diagrams; and\n\xe2\x80\xa2     a transition strategy that documents the EA segmentation as well as the projects to\n      manage the orderly transition from the current to the future state.\n\nWe commend the Office of Systems for its proactive approach to updating the Agency\xe2\x80\x99s\nIRM Plan.\n\nTHE IRM PLAN COULD BE BETTER STRUCTURED TO ADDRESS ITS RESOURCE\nNEEDS, CHALLENGES AND CONSTRAINTS\n\nIRM Plan Structure and Agency Strategic Plan Structure\n\nSSA\xe2\x80\x99s IRM Plan chapter 3, in discussing its IT initiatives, should be structured to better\nsupport the Agency\xe2\x80\x99s Strategic Plan. SSA\xe2\x80\x99s Strategic Plan is organized using the\nAgency\xe2\x80\x99s four strategic goals with the strategic objectives related to each of the four\ngoals. For each of the strategic objectives, SSA\xe2\x80\x99s Strategic Plan includes the expected\nlong-term outcomes, and a discussion of possible issues, external factors, and SSA\xe2\x80\x99s\nmeans and strategies for reaching its objectives.\n\nThe IRM Plan includes a chapter where it discusses its 15 major IT initiatives and\nrelated strategies. However, this chapter does not discuss these initiatives and\nstrategies in a manner which creates a vision of how SSA uses IT projects to achieve\nits goals and objectives as defined in its Strategic Plan. An example of an IRM\nformatting structure that provides such a structure is used by the Department of the\nInterior\xe2\x80\x99s, Fish & Wildlife Service. 17 We have included an example of a section of its\nIRM Plan in Appendix E, where its goal, objective, target results, performance\nmeasures, annual performance goals, and responsible parties, for the future years are\nall linked together in a one page document. SSA\xe2\x80\x99s IRM Plan needs to better support\nthe Agency\xe2\x80\x99s Strategic Plan as required in OMB Circular A-130, and provide a\ndescription of how IRM activities will help accomplish the Agency\xe2\x80\x99s mission. 18\n\n\n\n\n17\n Department of the Interior, U.S. Fish and Wildlife Service, Information Resources and Technology\nManagement Strategic Plan, version 1.0, 09/30/2005.\n18\n     OMB Circular A-130, Management of Federal Information Resources, 8.b.(1)(a).\n\x0cPage 7 - The Commissioner\n\n\nIRM Should Provide More Information About SSA\xe2\x80\x99s Resource Needs and Discuss\nthe Agency\xe2\x80\x99s Challenges, Constraints and Projections\n\nSSA\xe2\x80\x99s IRM Plan does not sufficiently include the information resources the Agency will\nneed to achieve its IT initiatives and strategies. It does not adequately discuss internal\nand external challenges and constraints that could hinder the IT initiatives and\nstrategies from achieving its goals. Furthermore, the IRM Plan does not include\ninformation, such as projections of various initiatives, or how SSA\xe2\x80\x99s IT strategies and\ninitiatives impact the achievement of certain measurable goals. Therefore, readers\ncannot easily form a realistic expectation about what results can be achieved, what IT\nactivities need to be achieved, and what challenges and constraints SSA might face in\nachieving its goals in the future.\n\nOMB states an IRM Plan should be strategic in nature and address the information\n                                         19\nresources management of the agency. OMB defines that an IRM \xe2\x80\x9c\xe2\x80\xa6encompasses\nboth information itself and the related resources, such as personnel, equipment, funds\n                              20\nand information technology.\xe2\x80\x9d SSA\xe2\x80\x99s IRM Plan needs to discuss challenges,\nconstraints and projections to provide a strategic view for the audience.\n\nTo address these issues, we recommend that Chapter 3 of SSA\xe2\x80\x99s IRM Plan, where\nSSA discusses its major IT initiatives, adopt the general structure of the Agency\xe2\x80\x99s\nStrategic Plan for each of SSA\xe2\x80\x99s Strategic Objectives. SSA should provide the\naudience with a clear roadmap of how the Agency plans to reach the goals and\nobjectives it defined by discussing areas such as the following:\n\n          \xe2\x80\xa2   strategic goals and objectives;\n          \xe2\x80\xa2   performance measures with results;\n          \xe2\x80\xa2   information resources management activities (IT projects and strategies);\n          \xe2\x80\xa2   major functionality targets and time frames;\n          \xe2\x80\xa2   funding, technology, and IT staffing needs; and\n          \xe2\x80\xa2   challenges, constraints, possible solutions, and related projections if\n              available.\n\nThe OCIO is already taking steps to restructure Chapter 3 of SSA\xe2\x80\x99s IRM Plan with a\nfocus on including more strategic information, covering a 5-year period, to tie the\ninformation to the Agency\xe2\x80\x99s Strategic Plan. We commend the OCIO for its proactive\napproach to updating the Agency\xe2\x80\x99s IRM Plan.\n\n\n\n\n19\n     OMB Circular A-130 Management of Federal Information Resources, 8.b.(1).\n20\n     OMB Circular A-130 Management of Federal Information Resources, 6.p.\n\x0cPage 8 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\n\nSSA\xe2\x80\x99s IRM Plan provides a balanced and comprehensive coverage of its IRM and\nactivities. However, SSA can improve in a few areas to fully address the purpose of the\nAgency\xe2\x80\x99s IRM Plan and meet Federal requirements. SSA\xe2\x80\x99s IRM Plan needs to be more\nstrategic and provide a better description of how IRM activities will help accomplish the\nAgency\xe2\x80\x99s mission, goals and objectives.\n\nFor issues related to SSA as a whole, we recommend SSA:\n\n  1. Establish a long range IRM strategic planning process that covers a period\n     consistent with the Agency\xe2\x80\x99s Strategic Plan.\n\nFor issues specific to SSA\xe2\x80\x99s IRM Plan, we recommend SSA:\n\n  2. Continue plans to include conceptual diagrams and a supplemental description of\n     SSA\xe2\x80\x99s existing and target EA.\n\n  3. Adopt the general structure of the Agency\xe2\x80\x99s Strategic Plan, in IRM Plan Chapter 3,\n     where SSA discusses its major IT initiatives. To provide the audience with a clear\n     roadmap of how SSA plans to achieve the goals and objectives it defined, for\n     each of SSA\xe2\x80\x99s Strategic Objective Portfolios, SSA should discuss areas such as\n     the following:\n      \xe2\x88\x9a   strategic goals and objectives;\n      \xe2\x88\x9a   performance measures with results;\n      \xe2\x88\x9a   information resources management activities (IT projects and strategies);\n      \xe2\x88\x9a   major milestones and time frames;\n      \xe2\x88\x9a   funding, technology, and IT staffing needs; and\n      \xe2\x88\x9a   challenges, constraints, possible solutions and related projections if available.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix F.\n\n\n\n\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Farm Credit Administration, Information Resources Management, IRM\n             Plan, Fiscal Years 2007-2012\n\nAPPENDIX D \xe2\x80\x93 United States Department of Interior, Bureau of Land Management\n             Information Resources Management Strategic Plan, 2002-2005\n\nAPPENDIX E \xe2\x80\x93 U.S. Fish & Wildlife Service Information Resources and Technology\n             Management Strategic Plan \xe2\x80\x93 Version 1.0, 09/30/2005\n\nAPPENDIX F \xe2\x80\x93 Agency Comments\n\nAPPENDIX G \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                          Appendix A\n\nAcronyms\nCPIC       Capital Planning and Investment Control\nEA         Enterprise Architecture\nFEA        Federal Enterprise Architecture\nFY         Fiscal Year\nIRM        Information Resources Management\nIRM Plan   IRM Strategic Plan\nIT         Information Technology\nITAB       Information Technology Advisory Board\nITAP       Information Technology Architecture Plan\nNARA       National Archives and Records Administration\nOCIO       Office of Chief Information Officer\nOMB        Office of Management and Budget\nPRA        Paperwork Reduction Act\nSSA        Social Security Administration\nU.S.       United States\nU.S.C.     United States Code\n\x0c                                                                          Appendix B\n\nScope and Methodology\nThe objective of our review was to evaluate the Social Security Administration\xe2\x80\x99s (SSA)\nInformation Resources Management (IRM) Strategic Plan (IRM Plan) in comparison to best\npractices and Federal requirements.\n\nTo meet the objective of this audit, we reviewed relevant Federal laws, regulations and\nguidance. We reviewed SSA\xe2\x80\x99s documents related to IRM, SSA\xe2\x80\x99s Information Technology\ncapital planning and investment control process with a focus on IRM strategic planning, and\nSSA\xe2\x80\x99s Enterprise Architecture process. We also conducted interviews to obtain an\nunderstanding for areas critical to SSA\xe2\x80\x99s IRM strategic planning.\n\nWe reviewed the IRM Plans of several Federal agencies. We compared SSA\xe2\x80\x99s IRM Plan\nwith other Federal agencies\xe2\x80\x99 to identify the best practices with regards to the IRM Plan\ndocument, given that the Office of Management and Budget (OMB) does not have guidance\non the exact contents of an IRM Plan. We found that for the agencies we reviewed, each\nhas its strengths and weaknesses in different areas. We have identified and provided\nexamples (Appendices C, D, and E) of some practices used by other agencies that could\nhelp SSA to better meet its IRM purposes. These practices, although belonging to agencies\nwhose sizes are different from SSA, provide clearer presentation, more relevant IRM\ncontents, or better structure.\n\nWe reviewed the following Federal laws, regulations, and guidance:\n\n      \xe2\x80\xa2    Clinger Cohen Act of 1996.\n      \xe2\x80\xa2    Paperwork Reduction Act of 1995.\n      \xe2\x80\xa2    Government Performance and Results Act of 1993.\n      \xe2\x80\xa2    OMB Circular A-130, Management of Federal Information Resources.\n      \xe2\x80\xa2    OMB Circular A-11, Preparation, Submission, and Execution of the Budget.\n      \xe2\x80\xa2    OMB FEA Practice Guidance.\n\nWe reviewed the following SSA documents:\n\n       \xe2\x80\xa2   SSA Information Resources Management Strategic Plans for Fiscal Years 2002\n           through 2007.\n       \xe2\x80\xa2   SSA Strategic Plan FY 2006-FY 2011.\n       \xe2\x80\xa2   SSA Annual Performance Plan for Fiscal Year 2008.\n       \xe2\x80\xa2   SSA Target Information Technology (IT) Capital Planning and Investment Control\n           Process (CPIC) Guide.\n       \xe2\x80\xa2   SSA Information Technology Advisory Board meeting materials and minutes.\n\n       \xe2\x80\xa2   SSA Enterprise Architecture artifacts.\n                                              B-1\n\x0cWe contacted or interviewed SSA staff in the following components:\n\n      \xe2\x80\xa2   Office of the Chief Information Officer and its Office of Information Technology\n          Systems Review;\n      \xe2\x80\xa2   Office of Systems, Office of Enterprise Support, Architecture and Engineering; and\n      \xe2\x80\xa2   Office of Strategic Management.\n\nWe also reviewed IRM Plans of other Federal agencies, including the following:\n\n   1. United States (U.S.) Department of the Interior,\n      \xe2\x80\xa2 Bureau of Land Management, Information Resources Management Strategic Plan\n        2002-2005, May, 2002.\n      \xe2\x80\xa2 U.S. Fish & Wildlife Service, Information Resources and Technology Management\n        Strategic Plan, version 1.0, 09/30/2005.\n      \xe2\x80\xa2 Minerals Management Service, Information Technology Strategic Plan and\n        Information Guide, 2005 \xe2\x80\x93 2007.\n   2. NASA Information Resources Management (IRM) Strategic Plan, September 2006.\n   3. U.S. Department of Transportation FY 2006-FY 2011 Information Resources\n      Management Plan, September 2006.\n   4. U.S. Department of Energy Information Resources Management Strategic Plan FY\n      2007-2009.\n   5. Department of Justice IT Strategic Plan Fiscal Years 2006-2011.\n   6. Farm Credit Administration Information Resources Management IRM Plan Fiscal\n      Years 2007-2012.\n\nThis audit was performed in accordance with generally accepted government auditing\nstandards. We conducted our field work at the SSA Headquarters in Baltimore, Maryland\nfrom January through May 2007.\n\n\n\n\n                                             B-2\n\x0c                                                                        Appendix C\n\nFarm Credit Administration, Information Resources\nManagement, IRM Plan Fiscal Years 2007-2012\nC. Development Projects\n\n  New system development projects further our goal of encouraging innovative uses\n  of technology geared toward improving Agency information collection, retrieval, and\n  distribution. This encompasses projects such as developing new or custom-\n  designed client/server applications, providing the capacity to conduct business\n  electronically internally and externally, assuring public access to Federal\n  information, providing government-wide e-mail, and developing workflow\n  applications.\n\n  New system development projects in Fiscal Year 2007 are projected to require\n  1,034 staff days, which is a 558-day increase from the previous year. There are 22\n  proposed new development projects. The dollar costs reflected for each project\n  include Farm Credit Administration (FCA) resource costs as well as any externally\n  purchased resources.\n\n  1. Infrastructure Review \xe2\x80\x93 Office of Management Services (OMS)\n\n     With the client/server architecture at the end of its life cycle at FCA, this project\n     will re-evaluate the method of delivering Information Technology (IT) services at\n     FCA to ensure delivery is effective and provided at the best cost-value. The\n     improvements in technology, including the ability to secure information, use the\n     Internet as a reliable highway for delivering information, and the increased need\n     for portability and flexibility of technology delivery to FCA staff are drivers of this\n     initiative. Newer architectures, including Web-based and Web-enabled, may\n     offer the ability to reduce operating costs, accelerate the delivery of applications,\n     and further empower our clients by providing them the ability to more easily\n     access information necessary to support their decision-making processes. This\n     project will undertake the evaluation of client/server as well as Web-based and\n     Web-enabled architectures and their applicability to the delivery of IT services in\n     the FCA environment.\n\n     This project will (1) evaluate the effectiveness and efficiency of delivering IT\n     services using the client/services model, and include a review of Lotus Notes; (2)\n     analyze other architectures including web-based and web-enabled architectures\n     using web services; (3) evaluate the costs and benefits of moving to another\n     architecture; (4) make a recommendation on the appropriate architecture for\n     FCA\'s IT delivery; (5) evaluate and select new user and development tools to\n     support the appropriate architecture; (6) select new tools and begin migration of\n     legacy applications to new architecture; and (7) design architecture infrastructure\n\n\n                                           C-1\n\x0c   to support and optimize the selected architecture (possible infrastructure\n   centralization).\n\n   The evaluation and selection of an appropriate IT architecture, configuration and\n   tools improves future capacity of the Agency\'s IT investment to meet the\n   changing needs of the Agency. The IT architecture hosts and delivers all\n   applications, both critical and non critical, and is essential to efficiently providing\n   the tools customers need to perform their duties.\n\n              FY      FY             FY          FY        FY          FY          Total\n              2007    2008           2009        2010      2011        2012\n   Total      232,050 452,420        150,850     44,150    140,050     153,950     1,173,470\n   Cost\n   OMS        2,490      2,524       2,120       200       200         500         8,034\n   Hours\n\n2. Examination Workflow Integration \xe2\x80\x93 Office of Examination (OE)\n\n   This project and its various components represent a significant investment in\n   building the new OE, and as such may require substantial resources and\n   emphasis. In fact, various components have already been discussed and\n   resources allocated through the OE Strategic Plan initiatives. This OE Workflow\n   Integration project takes things one step further by integrating all the various\n   components into a common technology platform/system. There are likely other\n   similar examples of processes that could be better integrated. It is important that\n   as OE teams evaluate existing processes/systems or develop new ones, that the\n   technology platform and approach used can result in easy integration with other\n   systems, either immediately or at a later date.\n\n   The goal of this project is to improve our examination processes, risk\n   supervision, and communications, both internally and externally. The project is\n   focused on integrating key aspects of OE workflow using technology solutions,\n   creating an application that will provide a central \xe2\x80\x9claunch pad\xe2\x80\x9d (i.e., graphical user\n   interface) which seamlessly integrates disparate information and systems. The\n   integration of these systems will allow OE to replace manual processes with\n   more automated processes, thereby greatly increasing our efficiency,\n   effectiveness, and consistency. We believe this will be a critical cornerstone for\n   the \xe2\x80\x9cnew OE.\xe2\x80\x9d This project will involve a number of parties within and outside OE\n   (particularly OMS), and needs to be closely coordinated through the OE IRM\n   Operations Committee representative.\n\n\n\n\n                                         C-2\n\x0c              FY         FY          FY          FY           FY            FY       Total\n              2007       2008        2009        2010         2011          2012\n    Total     105,500    105,500     55,500      35,500       35,500        35,500   373,000\n    Cost\n    OMS       100        100         100         100          100           100      600\n    Hours\n\n3. Electronic Recordkeeping-Knowledge Management - OMS\n\n  This project is to explore and recommend an electronic recordkeeping and\n  knowledge (ERK) management system to manage the Agency\'s official records\n  and institutional knowledge within appropriate legal and regulatory requirements.\n\n  An ERK capability will impact the FCA at all levels by providing timely electronic\n  (desktop) access to Agency records for all staff members. ERK will provide an\n  enterprise-wide strategy through which official FCA records can be managed\n  throughout their lifecycle of document creation, management, distribution,\n  storage, retrieval, destruction and/or transmittal to the National Archives and\n  Records Administration (NARA). It will also enable the Agency to implement a\n  program to manage and retain its critical institutional, technical, and operational\n  knowledge. When implemented, a knowledge management mechanism will also\n  negate the impact of anticipated staff retirements.\n\n  In the short-term, ERK will require a significant investment of FCA resources but\n  will result in the realization of long-term benefits. In order for the Agency to\n  successfully develop and implement an ERK system, it is imperative the\n  initiatives receive visible and consistent support from senior and executive\n  management. Any ERK system adopted by the FCA must be compliant with the\n  Department of Defense Standard 5015.2 (DoD 5015.2), which is the current\n  NARA-endorsed system for Federal recordkeeping.\n\n            FY          FY         FY          FY       FY     FY                 Total\n            2007        2008       2009        2010     2011   2012\n   Total    183,700     187,200    107,200     99,200   99,200 191,700            868,200\n   Cost\n   OMS      2,220       880        880         880      880         2,220         7,960\n   Hours\n\n\n\n\n                                         C-3\n\x0c                                                                                            Appendix D\nUnited States Department of the Interior, Bureau of Land Management,\nInformation Resources Management Strategic Plan, 2002-2005\nGoal 3: Support the Bureau\xe2\x80\x99s Mission by increasing the Effectiveness and Timeliness of Service\nDelivery and Effectiveness of its Human Capital\nObjective 2: Recruit and/or retain skilled IRM personnel that are competent in both current and\nemerging technologies.\nAs part of managing IT assets, BLM must invest in timely, appropriate, and industry-standard education and\ntraining to ensure technical staffs in national and field offices understand and can apply current and future\ntechnologies. This strategy involves both a commitment to recruit, train, and retain talented BLM personnel\nas well as collaborating with other agencies and organizations to fully utilize their talented individuals and\nshare resources wherever possible. Arrangements with other agencies will also be used to share technical\npersonnel in an era of diminishing budgets. BLM will also stay abreast of emerging trends through an ongoing\nprogram of technology evaluation. New technologies will be introduced through pilot projects where both\nthe automation and its business benefits and costs can be evaluated prior to any Bureau-wide adoption or\nfull-scale deployment occurs.\n\n                                                                              FY         FY        FY             FY\nOutcome                            Performance Measure                       2002       2003      2004           2005\n                                                                             goal       goal      goal           goal\nIncreased availability of IT       Avg percentage of time that                2%        1.75%      1.5%      01.25%\nresources                          national systems are unavailable\n\nIncreased customer                 Customer feedback increases in              -         base     +10%       +10%\nconfidence                         value section                                         line\nImproved performance of IT         Percentage of times IT problems           base-                +10%       +10%\nresources                          are resolved in one service call.          line      +10%\n                                   Length of time to resolve problem.       -20%        -20%       -20%          -20%\n\nSkilled IRM support staff to       Average length of service once            base-       +5%       +5%           +5%\nmanage and maintain the            employees are considered \xe2\x80\x98skilled\xe2\x80\x99         line\nBureau\'s systems\nProduct                            Action/Method                                   Responsible Party             Date\n\nBaseline IT performance            Conduct a study of common IT                        AD-500                    FY02\nstatistics                         performance statistics to be\n                                   collected annually\n\nImplementation of                  Conduct a study of incentives and                   AD-500                    FY03\nInnovative Personnel               other new alternative management                    AD-700\nManagement Practices for           practices for use in BLM\nIRM staff\n\nDevelopment of Cross-              Participate in Department-wide                      AD-500                    On-\nagency sharing and other           teams that are charged with                                                   going\nIRM efforts                        Interior-wide responsibilities\n\x0c                                                                                 Appendix E\nU.S. Fish & Wildlife Service Information Resources and Technology Management\nStrategic Plan \xe2\x80\x93 Version 1.0, 09/30/2005\nGoal 3: Enhance IRTM Skills of Service Employees. Through planning, assessment, and\neducation efforts, establish and maintain an adequately skilled workforce to optimize the\nproductive use of IRTM. Continue to partner closely with the National Conservation Training\nCenter (NCTC) to ensure that IRTM information is incorporated in the appropriate classes.\n\nObjective 3.1: Recruit and retain sufficient skilled IT personnel, competent in current and\nemerging technologies, to optimize the productive use of IT. Ensure that the Service has an\nadequate number of sufficiently skilled IT personnel on an ongoing basis to realize the potential\nbenefits from the use of IT by all employees.\n\n                            Target Results                                     Responsible    Date\n                                                                                 Parties\nAll regions, programs, and offices assess existing IT staff, skills,         IRTM, CTO        2006\nworkload, organization and future needs and develop workforce                Council\nplans to meet those needs.\n\nImproved outreach to support IT skills. Required actions include:            IRTM, NCTC,      2006\n    \xe2\x80\xa2 Partnerships with programs, regions, and NCTC to improve               CTOs\noutreach and education.\n    \xe2\x80\xa2 Partnership with NCTC to ensure that current IT initiatives and\npolices are incorporated in appropriate training classes.\n    \xe2\x80\xa2 Partnerships with DOI IT Training Team to take advantage of\nglobal training requirements and not duplicate or compete same\ntechnology among bureaus.\n\n\n\n\n             Performance Measures                         FY            FY         FY         FY\n                                                         2005          2006       2007       2008\n                                                         goal          goal       goal       goal\nNumber of Regions and programs in compliance\n                                                           -       Base-line\nwith policy on IT skill sets.\nRegions and Offices with IT workforce plans in\n                                                           -           All         All       All\neffect\n\x0c                  Appendix F\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 14, 2007                                                    Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye /s/\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Information Resources Management Strategic Plan\xe2\x80\x9d (A-14-07-27133)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report content\n           and recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         F-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT\nREPORT, \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S INFORMATION\nRESOURCES MANAGEMENT STRATEGIC PLAN \xe2\x80\x9d(A-14-07-27133)\n\nThank you for the opportunity to review and comment on the draft report. We appreciate\nyour conducting this audit of the Social Security Administration\xe2\x80\x99s (SSA) information\nresources management strategic plan.\n\nRecommendation 1\n\nFor issues related to SSA as a whole, SSA should establish a long range Information\nResources Management (IRM) strategic planning process that covers a period consistent\nwith the Agency\xe2\x80\x99s Strategic Plan.\n\nComment\n\nWe agree to establish a long range IRM strategic planning process that covers a period\nconsistent with the Agency\xe2\x80\x99s Strategic Plan.\n\nRecommendation 2\n\nFor issues specific to SSA\xe2\x80\x99s IRM Plan, SSA should continue plans to include conceptual\ndiagrams and a supplemental description of SSA\xe2\x80\x99s existing and target Enterprise\nArchitecture (EA).\n\nComment\n\nWe agree and have plans to include the following information in the 2008 IRM Strategic\nPlan:\n      \xe2\x80\xa2 the existing and target EA diagrams;\n      \xe2\x80\xa2 a verbal description of the fundamental differences between the current and\n         future diagrams; and\n      \xe2\x80\xa2 a transition strategy that documents the EA segmentation as well as the projects\n         to manage the orderly transition from the current to the future state.\n\nRecommendation 3\n\nSSA should adopt the general structure of the Agency\xe2\x80\x99s Strategic Plan, in IRM Plan\nChapter 3, where SSA discusses its major information technology (IT) initiatives. To\nprovide the audience with a clear roadmap of how SSA plans to achieve the goals and\nobjectives it defined, for each of SSA\xe2\x80\x99s Strategic Objective Portfolios, SSA should\ndiscuss areas such as the following: 1) strategic goals and objectives; 2) performance\n\n\n\n\n                                           F-2\n\x0cmeasures with results; 3) information resources management activities (IT projects and\nstrategies); 4) major milestones and time frames; 5) funding, technology, and IT staffing\nneeds; and 6) challenges, constraints, possible solutions and related projections if\navailable.\n\nComment\n\nWe agree and have begun taking steps to restructure Chapter 3 of SSA\xe2\x80\x99s 2008 IRM\nStrategic Plan (to be published in 2007) with a focus on including more strategic\ninformation, covering a 5-year period, to tie the information to the Agency\xe2\x80\x99s Strategic\nPlan.\n\n\n\n\n                                            F-3\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technical Audits Division, (410) 965-9702\n\n   Albert Darago, Audit Manager, Application Controls Branch, (410) 965-9710\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Grace Chi, Senior Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-07-27133.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'